DET0473 Detect persistent or elevated container services via container runtime or cluster manipulation

Item	Value
ID	DET0473
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1543.005 (Container Service)

Analytics

Containers

AN1304

Correlate the creation or modification of containers using restart policies (e.g., ‘always’) or DaemonSets with elevated host access, service account misuse, or privileged container contexts. Watch for manipulation of systemd units involving containers or pod scheduling targeting specific nodes or namespaces.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve
Container Creation (DC0072)	systemd:unit	container run with restart policy set to ‘always’ or ‘unless-stopped’
Pod Creation (DC0019)	kubernetes:audit	create
Service Creation (DC0060)	kubernetes:audit	create

Mutable Elements

Field	Description
restartPolicy	Tune for environments that legitimately use ‘always’ or ‘unless-stopped’ in trusted containers
targetNamespace	Scope detection to high-risk namespaces (e.g., kube-system)
nodeSelector	nodeName
unitFilePath	Adapt to your OS/systemd hierarchy and container binary references
TimeWindow	Adjust temporal correlation (e.g., container launch → privilege escalation)