Container Runtime CLI Execution with Suspicious Arguments

This detection rule identifies the execution of container runtime CLI tools (ctr, crictl, nerdctl) with suspicious arguments, indicating malicious activity within a containerized environment. Attackers leveraging host-level access can exploit these tools to bypass Kubernetes API server, RBAC authorization, admission webhooks, pod security standards, and Kubernetes audit logging. This allows attackers to create privileged “ghost” containers, execute commands within other pods to steal service account tokens and secrets, pull attacker-controlled images, and destroy evidence, all while remaining undetected by traditional Kubernetes-level monitoring. The rule specifically focuses on the use of ctr, crictl, and nerdctl with arguments related to task execution, privileged container creation, and snapshot mounting.

Attack Chain

1. Attacker gains initial host-level access through a compromised node or other vulnerability.
2. Attacker utilizes a container runtime CLI tool (ctr, crictl, or nerdctl) to interact directly with the container runtime socket.
3. The attacker executes ctr tasks exec with a specified container ID to gain shell access within the targeted container.
4. Alternatively, the attacker uses ctr run --privileged to create a new, highly privileged container, effectively bypassing security policies.
5. The attacker mounts host filesystems into the container using ctr run --mount, granting them access to sensitive host data.
6. Attacker pulls malicious images from untrusted registries using ctr pull <malicious_image>, introducing potentially compromised software into the environment.
7. The attacker leverages access to steal service account tokens and other secrets from targeted pods.
8. The attacker uses the compromised environment to move laterally within the cluster, escalate privileges, and exfiltrate sensitive data.

Impact

Successful exploitation can lead to a complete compromise of the Kubernetes cluster. Attackers can gain unauthorized access to sensitive data, escalate privileges, and move laterally within the environment. The bypass of standard Kubernetes security controls makes detection difficult, allowing attackers to operate undetected for extended periods.

Recommendation

• Deploy the Sigma rule “Container Runtime CLI Execution with Suspicious Arguments” to your SIEM to detect suspicious container runtime CLI executions (rule: Container Runtime CLI Execution with Suspicious Arguments).
• Enable process execution telemetry with arguments from Elastic Defend and/or Auditd Manager to provide the necessary data for detection (setup instructions in the rule description).
• Tune the Sigma rule by filtering out legitimate parent processes, users, or host roles known to use these CLIs, to reduce false positives (false_positives in the rule description).
• Review and restrict host-level access to nodes to minimize the attack surface for this type of exploit (overview).
• Implement strict image scanning and registry controls to prevent the introduction of malicious images into the environment (attack chain step 6).
• Monitor file, network, and Kubernetes audit activity for pulls from unusual registries or subsequent pod changes to identify suspicious container activity (note).