DET0065 Detection Strategy for Container Administration Command Abuse

Item	Value
ID	DET0065
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1609 (Container Administration Command)

Analytics

Containers

AN0177

Defenders may detect abuse of container administration commands by observing anomalous use of management utilities (docker exec, kubectl exec, or API calls to kubelet) correlated with unexpected process creation inside containers. Behavioral chains include unauthorized API requests followed by command execution within running pods or containers, often originating from unusual user accounts, automation scripts, or IP addresses outside the expected cluster management plane.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	docker:daemon	docker exec or docker run with unexpected command/entrypoint
Process Creation (DC0032)	kubernetes:apiserver	kubectl exec or kubelet API calls targeting running pods

Mutable Elements

Field	Description
AuthorizedAdminUsers	Expected admin accounts allowed to use exec commands; anomalies outside this list indicate possible abuse.
ExecFrequencyThreshold	Defines how often `docker exec` or `kubectl exec` is normally observed; sudden spikes may indicate adversary behavior.
SourceIPRange	Expected IP ranges for management actions (e.g., cluster control plane). Requests from external/unexpected ranges may indicate compromise.
NamespaceScope	Defines which namespaces typically allow exec operations; anomalous activity outside these may indicate lateral movement.