Skip to content

DET0219 Detection Strategy for Escape to Host

Item Value
ID DET0219
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1611 (Escape to Host)

Analytics

Containers

AN0612

Detection of container escape attempts via bind mounts, privileged containers, or abuse of docker.sock. Defenders may observe anomalous volume mount configurations (e.g., hostPath to / or /proc), unexpected privileged container launches, or use of container administration commands to access host resources. These events typically correlate with subsequent process execution on the host outside of normal container isolation.

Log Sources
Data Component Name Channel
Container Creation (DC0072) docker:daemon container create/start with privileged flag or host volume mount
Volume Modification (DC0092) kubernetes:apiserver Pod spec with hostPath or privileged securityContext
Mutable Elements
Field Description
AllowedHostPaths List of directories permitted for hostPath volumes. Any access beyond these paths may be suspicious.
PrivilegedContainerThreshold Number of privileged container launches expected in the environment. Exceeding this may indicate adversary behavior.

Linux

AN0613

Detection of Linux container escape attempts via syscalls (unshare, keyctl, mount) or process execution outside container namespaces. Defenders may correlate unusual system calls from containerized processes with subsequent process creation on the host or modification of host resources.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) auditd:SYSCALL unshare, mount, keyctl, setns syscalls executed by containerized processes
Process Creation (DC0032) linux:Sysmon process creation events linked to container namespaces executing host-level binaries
Mutable Elements
Field Description
SyscallWhitelist Expected syscalls by containerized workloads. Deviations may signal an escape attempt.
TimeWindow Defines correlation window (e.g., 60s) between suspicious syscalls and follow-on host process activity.

Windows

AN0614

Detection of Windows container escape attempts by observing processes accessing host directories, symbolic link abuse, or privilege escalation attempts. Defenders may detect anomalous process execution with access to system-level directories outside of container boundaries.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
RestrictedHostDirs Critical system paths containers should not access (e.g., C:\Windows, C:\ProgramData).

ESXi

AN0615

Detection of ESXi escape attempts by monitoring for anomalies in hypervisor logs such as unexpected VM operations, privilege escalation events, or attempts to load malicious kernel modules within the hypervisor environment.

Log Sources
Data Component Name Channel
Kernel Module Load (DC0031) esxi:vmkernel VM exit/entry anomalies, unexpected hypercalls, or kernel module loading
Mutable Elements
Field Description
AllowedKernelModules Modules permitted in the hypervisor. Loading any module outside of this list may indicate compromise.