Container Runtime CLI Execution with Suspicious Arguments

Last updated 13 days ago on 2026-04-29

Created 13 days ago on 2026-04-29

About

Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting. These tools interact directly with the container runtime socket, bypassing the Kubernetes API server, RBAC authorization, admission webhooks, pod security standards, and Kubernetes audit logging entirely. Attackers with host-level access may use these tools to create privileged ghost containers, exec into other pods to steal service account tokens and secrets, pull attacker-controlled images, and destroy evidence, all while remaining invisible to Kubernetes-level monitoring.

Tags

Data Source: Auditd ManagerData Source: Elastic DefendDomain: ContainerDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: ExecutionLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

↳ Container Administration Command (T1609)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Escape to Host (T1611)(external, opens in a new tab or window)

False Positive Examples

Platform automation, node bootstrap, and legitimate break-glass admin sessions may use these CLIs with overlapping arguments. Tune by parent process, user, or host role (worker vs bastion).

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

auditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.process*

Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "executed") and
(
  (
    process.name in ("ctr", "crictl", "nerdctl") and
    (
      (process.args == "tasks" and process.args == "exec") or
      (process.args == "run" and process.args in ("--privileged", "--rm", "--mount", "--net-host", "--pid-host")) or
      (process.args == "snapshots" and process.args == "mount")
    )
  ) or
  (
    (process.executable like ("/dev/shm/*", "/tmp/*", "/var/tmp/*") or process.name : ".*") and
    process.args like ("*containerd.sock*", "k8s.io")
  )
) and
not process.parent.executable in (
  "/usr/bin/kubelet", "/usr/local/bin/kubelet",
  "/usr/bin/containerd", "/usr/sbin/containerd",
  "/lib/systemd/systemd", "/usr/lib/systemd/systemd", "/sbin/init"
)

Install detection rules in Elastic Security

Detect Container Runtime CLI Execution with Suspicious Arguments in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).