Skip to content

DC0077 Container Start

Item Value
ID DC0077
Version 2.0
Created 20 October 2021
Last Modified 21 October 2025

Log Sources

Name Channel
containerd:runtime CRI CreateContainer/StartContainer with privileged=true OR added capabilities OR host* namespaces
docker:events exec_create: docker exec events targeting running containers from non-CI sources
docker:events start
kubernetes:events start: ContainerStarted or Pulling image → Started container

Detection Strategy

ID Name Technique Detected
DET0249 Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes T1610
DET0083 Container CLI and API Abuse via Docker/Kubernetes (T1059.013) T1059.013
DET0248 User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) T1204.003
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204