DET0083 Container CLI and API Abuse via Docker/Kubernetes (T1059.013)

Item	Value
ID	DET0083
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1059.013 (Container CLI/API)

Analytics

Containers

AN0233

Execution of container orchestration commands (e.g., docker exec, kubectl exec) or API-driven interactions with running containers from unauthorized hosts or non-standard user contexts. Defender sees programmatic or interactive command execution within containers outside expected CI/CD tools or automation frameworks, often followed by file writes, privilege escalation, or lateral discovery.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context
Container Start (DC0077)	docker:events	exec_create: docker exec events targeting running containers from non-CI sources
Container Creation (DC0072)	kubernetes:apiserver	create/exec: Kubernetes API calls to exec into containers or create pods from curl, kubectl, or SDK clients
Pod Creation (DC0019)	AWS:CloudTrail	CreatePod: Programmatic creation of new pod resources using container images not seen before in the environment
Command Execution (DC0064)	kubernetes:audit	Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)

Mutable Elements

Field	Description
AuthorizedUserAgents	List of CI/CD pipeline runners, SRE tools, or cluster mgmt agents allowed to invoke API/CLI commands in containers.
NewImageThreshold	Threshold for alerting on unseen container images pulled and executed. Adjust to reduce noise from frequent deploys.
TimeWindow	Temporal window to correlate container exec with shell spawn and network activity (default: 2 minutes).
InteractiveSessionExpectation	Set whether shell spawns without TTY or PTY should be flagged — based on org deployment model.