1. Home
  2. Data Components
  3. Container Creation

Container Creation

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:

  • Docker Example: docker create my-container, docker run --name=my-container nginx:latest
  • Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx
  • Cloud Container Services Example
    • AWS ECS: Task or service creation (RunTask or CreateService).
    • Azure Container Instances: Deployment of a container group.
    • Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.
ID: DC0072
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
containerd:events create
docker:daemon container create/start with privileged flag or host volume mount
docker:events created,started: new container from untrusted registry or unexpected entrypoint
docker:events docker run with restart=always or modifying init
kubernetes:apiserver create/exec: Kubernetes API calls to exec into containers or create pods from curl, kubectl, or SDK clients
kubernetes:audit create: Pod/Container created with image tag 'latest' or mutable tag; imagePullPolicy=Always; noDigest=true
kubernetes:events container start/stop activity via Docker, containerd, or CRI-O
systemd:unit container run with restart policy set to 'always' or 'unless-stopped'

Detection Strategy

ID Name Technique Detected
DET0083 Container CLI and API Abuse via Docker/Kubernetes (T1059.013) T1059.013
DET0473 Detect persistent or elevated container services via container runtime or cluster manipulation T1543.005
DET0206 Detection of Malicious Kubernetes CronJob Scheduling T1053.007
DET0571 Detection of System Process Creation or Modification Across Platforms T1543
DET0219 Detection Strategy for Escape to Host T1611
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking T1496.001
DET0248 User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003) T1204.003
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204