---
title: Container escape attack
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Container escape attack
---

# Container escape attack
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1609-container-administration-command](https://attack.mitre.org/techniques/T1609) 
## Goal{% #goal %}

Detect container escape attacks by correlating multiple indicators of container breakout activity within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies container escape operations by detecting combinations of the following activity groups:

- **Container Breakout Enumeration**: Reading container environment files (`/proc/*/status`, `/proc/*/cgroup`, `/proc/*/mountinfo`, etc.) from processes in the container's upper layer
- **Privileged Container**: Detects containers starting with `CAP_SYS_ADMIN` capability (privileged mode)
- **Socket Discovery**: Searching for container management sockets using `find *.sock`
- **Container Management Abuse**: Execution of container management utilities (`docker`, `kubectl`, `ctr`) or `curl` requests to management sockets inside a container
- **Namespace Manipulation**: Mounting host file systems, hiding processes using `/proc` mounts, or using `nsenter`/`unshare` to escape namespaces
- **Cgroup Escape**: Writing to cgroup `release_agent` file to execute code on the host
- **Proc Write Escape**: Writing to `/proc/sys/kernel/core_pattern` and triggering a coredump for host code execution
- **Ptrace Escape**: Using `ptrace` to trace privileged processes or inject code into host processes
- **Kernel Module Escape**: Loading kernel modules from disk or memory to gain kernel-level access
- **Evasive Execution**: Executing from `/dev/shm`, hidden files, newly created files, or using `nohup`

The rule triggers different severity levels based on the combination of detected activities:

| Case                            | Severity | Condition                                                      |
| ------------------------------- | -------- | -------------------------------------------------------------- |
| Kernel Module Container Escape  | Critical | Enumeration and Kernel Module Loading                          |
| Core Pattern Container Escape   | Critical | Enumeration and /proc/sys/kernel/core_pattern Write            |
| Ptrace Host Injection           | Critical | Enumeration and Ptrace on Host Processes                       |
| Cgroup Release Agent Escape     | Critical | Enumeration, Privileged Container and release_agent Write      |
| Privileged Namespace Escape     | High     | Enumeration, Privileged Container, and Namespace Manipulation  |
| Docker Socket Escape            | High     | Enumeration, Socket Discovery, and Container Management Abuse  |
| Namespace Breakout with Evasion | Medium   | Enumeration, Namespace Manipulation, and Evasive Execution     |
| Suspicious Container Activity   | Medium   | Enumeration, Container Management Abuse, and Evasive Execution |

## Triage & Response{% #triage--response %}

1. **Assume host compromise**: Immediately isolate the affected host and container. Treat the situation as a potential host compromise given the nature of container escape attacks.

1. **Terminate suspicious processes**: Identify and stop all processes involved in the escape attempt.

1. **Check container configuration**: Review container security settings, capabilities, privileged mode, and mount points for misconfigurations that enabled the attack.

1. **Examine escape techniques**: Analyze the specific escape vector used:

   - For kernel module escapes: Check loaded modules with `lsmod`
   - For core_pattern escapes: Verify `/proc/sys/kernel/core_pattern` contents
   - For docker socket escapes: Review containers created using the socket
   - For ptrace escapes: Identify processes that were traced and injected.

1. **Verify host impact**: Check host file system and processes for signs of successful container escape.

1. **Capture forensic evidence**: Take memory dumps and system snapshots from both container and host before remediation.

1. **Hunt for additional escapes**: Search for other containers attempting similar escape techniques across your environment.

1. **Rebuild with security**: Recreate containers with proper security controls, including restricted capabilities, read-only root file systems, and enhanced monitoring.