DET0249 Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes

Item	Value
ID	DET0249
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1610 (Deploy Container)

Analytics

Containers

AN0693

Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window.

Log Sources

Data Component	Name	Channel
Application Log Content (DC0038)	docker:daemon	container_create,container_start
Container Start (DC0077)	containerd:runtime	CRI CreateContainer/StartContainer with privileged=true OR added capabilities OR host* namespaces
Process Creation (DC0032)	ebpf:syscalls	process execution or network connect from just-created container PID namespace
Network Traffic Content (DC0085)	docker:events	remote API calls to /containers/create or /containers/{id}/start

Mutable Elements

Field	Description
known_images	Environment-specific allow-list of approved images (with digests).
known_admins	Service accounts or CI/CD users permitted to deploy containers.
TimeWindow	Max time between create, start, and first activity to consider events causally linked (default 5m).
RiskThreshold	Minimum number of risky attributes (e.g., unknown image + privileged) to alert.
PrivilegedFlags	Set of runtime flags considered high risk (e.g., –privileged, –cap-add=SYS_ADMIN, hostPID, hostNetwork, /var/run/docker.sock mount).