Defenders may detect abuse of container administration commands by observing anomalous use of management utilities (docker exec, kubectl exec, or API calls to kubelet) correlated with unexpected process creation inside containers. Behavioral chains include unauthorized API requests followed by command execution within running pods or containers, often originating from unusual user accounts, automation scripts, or IP addresses outside the expected cluster management plane.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | docker:daemon | docker exec or docker run with unexpected command/entrypoint |
| Process Creation (DC0032) | kubernetes:apiserver | kubectl exec or kubelet API calls targeting running pods |
| Field | Description |
|---|---|
| AuthorizedAdminUsers | Expected admin accounts allowed to use exec commands; anomalies outside this list indicate possible abuse. |
| ExecFrequencyThreshold | Defines how often `docker exec` or `kubectl exec` is normally observed; sudden spikes may indicate adversary behavior. |
| SourceIPRange | Expected IP ranges for management actions (e.g., cluster control plane). Requests from external/unexpected ranges may indicate compromise. |
| NamespaceScope | Defines which namespaces typically allow exec operations; anomalous activity outside these may indicate lateral movement. |