Execution of container orchestration commands (e.g., docker exec, kubectl exec) or API-driven interactions with running containers from unauthorized hosts or non-standard user contexts. Defender sees programmatic or interactive command execution within containers outside expected CI/CD tools or automation frameworks, often followed by file writes, privilege escalation, or lateral discovery.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context |
| Container Start (DC0077) | docker:events | exec_create: docker exec events targeting running containers from non-CI sources |
| Container Creation (DC0072) | kubernetes:apiserver | create/exec: Kubernetes API calls to exec into containers or create pods from curl, kubectl, or SDK clients |
| Pod Creation (DC0019) | AWS:CloudTrail | CreatePod: Programmatic creation of new pod resources using container images not seen before in the environment |
| Command Execution (DC0064) | kubernetes:audit | Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly) |
| Field | Description |
|---|---|
| AuthorizedUserAgents | List of CI/CD pipeline runners, SRE tools, or cluster mgmt agents allowed to invoke API/CLI commands in containers. |
| NewImageThreshold | Threshold for alerting on unseen container images pulled and executed. Adjust to reduce noise from frequent deploys. |
| TimeWindow | Temporal window to correlate container exec with shell spawn and network activity (default: 2 minutes). |
| InteractiveSessionExpectation | Set whether shell spawns without TTY or PTY should be flagged — based on org deployment model. |