Container Creation

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:

Docker Example: docker create my-container, docker run --name=my-container nginx:latest
Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx
Cloud Container Services Example
- AWS ECS: Task or service creation (RunTask or CreateService).
- Azure Container Instances: Deployment of a container group.
- Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.

This data component can be collected through the following measures:

Docker Audit Logging: Enable Docker daemon logging to capture create commands. Configure the Docker daemon to use a log driver such as syslog or json-file.
Kubernetes Audit Logs: Enable Kubernetes API server audit logging:
Cloud Provider Logs
- AWS CloudTrail: Enable logging for ECS RunTask or CreateService events.
- Azure Monitor: Enable activity logging for container group creation.
- GCP Cloud Logging: Monitor API calls such as container.projects.zones.clusters.create.
SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.

ID: DC0072

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
containerd:events	create
docker:daemon	container create/start with privileged flag or host volume mount
docker:events	created,started: new container from untrusted registry or unexpected entrypoint
docker:events	docker run with restart=always or modifying init
kubernetes:apiserver	create/exec: Kubernetes API calls to exec into containers or create pods from curl, kubectl, or SDK clients
kubernetes:audit	create: Pod/Container created with image tag 'latest' or mutable tag; imagePullPolicy=Always; noDigest=true
kubernetes:events	container start/stop activity via Docker, containerd, or CRI-O
systemd:unit	container run with restart policy set to 'always' or 'unless-stopped'

Detection Strategy

ID	Name	Technique Detected
DET0083	Container CLI and API Abuse via Docker/Kubernetes (T1059.013)	T1059.013
DET0473	Detect persistent or elevated container services via container runtime or cluster manipulation	T1543.005
DET0206	Detection of Malicious Kubernetes CronJob Scheduling	T1053.007
DET0571	Detection of System Process Creation or Modification Across Platforms	T1543
DET0219	Detection Strategy for Escape to Host	T1611
DET0540	Multi-Platform Behavioral Detection for Compute Hijacking	T1496.001
DET0248	User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)	T1204.003
DET0478	User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)	T1204