Threat Detections for Container Lateral Movements and Container Escapes — This is How

Rex Guo
Principle Security Researcher


The simplicity and flexibility of microservice architecture has led to an increasing adoption of containers and kubernetes in the cloud. According to Gartner, more than 75% of global organizations will be running containerized apps in production by 2022.

As the adoption increases, threat actors are evolving their toolsets to compromise container workloads. Recently, it is reported that 50,000 IPs across multiple Kubernetes clusters were compromised by TeamTNT.

Threat actors typically exploit vulnerabilities and/or misconfigurations of the container workloads. They can not only move between containers, but also move between containers and the underlying hosts. Recently, we observed that threat actors such as TeamTNT has developed more sophisticated techniques to perform container escapes.

TeamTNT’s Container Escape

In the TeamTNT operation we observed, once it gains foothold on a privileged container, it uses a container escape technique similar to the initial POC tweeted by Felix Wilhelm from Google. It abuses the cgroups release_agent feature as shown below:

By using the above script, an attacker is able to break out of the container and execute the cmd script as root if the container is ran as a privileged container. The nginx binary is actually a cryptocurrency miner. The attacker may used the name nginx to trick the victim into thinking that it’s legitimate web server and evade detections.

Container Lateral Movements and Container Escapes

Container lateral movements can be classified into three categories:

  1. Container to host (including container escapes)
  2. Host to container
  3. Container to container

Container escape can be further classified into three categories:

  1. Escape via configuration abuse
  2. Escape via kernel vulnerabilities
  3. Escape via container engine vulnerabilities

Detecting these activities is critical for detection and response. For example, in the case of container escape, an attacker who escapes the container will likely have access to host resources and other containers on the host.

The Confluera Approach

While traditional point-based detections show users a sea of independent alerts, Confluera XDR presents real-time threat progressions (a.k.a. incident timeline or attack narrative) to users and significantly improves efficacy. This allows DevSecOps/SOC analysts to quickly identify risk and prioritize risks mitigations by reviewing the logical threat progression instead of investigating the sea of independent alerts.

Confluera XDR tracks all the above mentioned container lateral movements and container escape categories.

Threat Progression for A Container Escape

In this post, we will demonstrate an example of Confluera XDR’s threat progression for containers.

Let’s look at an example breach involving container escape with cgroups release_agent. This belongs to theEscape via configuration abuse” category we mentioned above. We will visualize this incident through the lens of the MITRE ATT&CK framework, the de-facto industry standard for the definition and classification of infrastructure wide cyberattacks.

Our victim environment has a host machines (joe-el8) running a privileged container (the container ID ends with 7a1f40).

The attacker performed the following actions:

  1. Exploited a nodejs web application vulnerability on the container and used server processes to create shell processes with command (“Execution” technique)
  2. Spawned a reverse shell to the C2 server (“Execution” technique)
  3. Wrote payload to release_agent configuration files (“Persistence” technique)
  4. Let host execute the malicious payload using release_agent feature (“Lateral Movement” technique)
  5. Let host execute the file generated by the container from the host file system as root (“Privilege Escalation” technique)
  6. Ran suspicious network tools netcat in the container (“Execution” technique)
  7. Spawned a root reverse shell from the host to the container (“Execution” technique)
  8. Accessed the host /etc/shadow file in an abnormal way (“Credential Access” technique)

Confluera detects and captures the sequence of activities into a single threat progression as shown in the screenshot below. Keep in mind that there can be any number of alerts triggered on this host and/or this container by other activities. However, this threat progression will not show those alerts and therefore significantly improves efficacy.

Confluera XDR surfaces threat progression across your entire infrastructure instead of independent alerts


Malicious actors are becoming more sophisticated and constantly inventing new ways to attack the cloud infrastructure.

Confluera XDR tracks all three container lateral movements categories. It also tracks the three container escape categories. This blog post demonstrates an example of Confluera XDR’s precise execution tracking on attacker’s pre-and post-exploitation behaviors in a container environment.

Moreover, Confluera XDR detects threat progressions across endpoint, network and cloud. It also prevents successful cyber attacks by coordinating with endpoint, network, and cloud controls.

Contact us if you would like to know more.

Intercept Threats. Before Damage.

Ready to experience the benefit of Confluera?
Start your 30-day trial and see for yourself how the latest innovation in detection and response can fend off the most advanced modern cyber attacks.
Like to learn more about Confluera?
Schedule a 30-min demo with one of our cybersecurity experts to learn how Confluera can help you identify and intercept cyber threats before it becomes a breach.