DC0072 Container Creation
| Item | Value |
|---|---|
| ID | DC0072 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| containerd:events | create |
| docker:daemon | container create/start with privileged flag or host volume mount |
| docker:events | created,started: new container from untrusted registry or unexpected entrypoint |
| docker:events | docker run with restart=always or modifying init |
| kubernetes:apiserver | create/exec: Kubernetes API calls to exec into containers or create pods from curl, kubectl, or SDK clients |
| kubernetes:audit | create: Pod/Container created with image tag ‘latest’ or mutable tag; imagePullPolicy=Always; noDigest=true |
| kubernetes:events | container start/stop activity via Docker, containerd, or CRI-O |
| systemd:unit | container run with restart policy set to ‘always’ or ‘unless-stopped’ |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0083 | Container CLI and API Abuse via Docker/Kubernetes (T1059.013) | T1059.013 |
| DET0473 | Detect persistent or elevated container services via container runtime or cluster manipulation | T1543.005 |
| DET0206 | Detection of Malicious Kubernetes CronJob Scheduling | T1053.007 |
| DET0571 | Detection of System Process Creation or Modification Across Platforms | T1543 |
| DET0219 | Detection Strategy for Escape to Host | T1611 |
| DET0540 | Multi-Platform Behavioral Detection for Compute Hijacking | T1496.001 |
| DET0248 | User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) | T1204.003 |
| DET0478 | User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) | T1204 |