TriageP1~90 min

Container Escape Detected

Confirm and characterize the container escape primitive: privileged capabilities (CAP_SYS_ADMIN, CAP_DAC_READ_SEARCH), host mounts (Docker socket, /proc, /var/run), shared namespaces (host PID, host network), or kernel vulnerability exploitation. The primitive dictates what the attacker can do on the node and cluster.

Actions

  1. 1

    Inspect the compromised pod spec for escape-enabling configuration: `securityContext.privileged`, dangerous capabilities, hostPath mounts to /, host namespaces, kernel module loading capability.

  2. 2

    Check for host-mounted Docker socket (/var/run/docker.sock) -- single most common container escape vector; mount implies full node compromise capability.

  3. 3

    Review eBPF / Falco alerts in the compromise window for escape-adjacent events: write to /proc, unexpected setuid, kernel module load, cgroup breakout patterns.

  4. 4

    Map which cluster-privileged credentials the compromised pod had (service account tokens, cloud workload identity) -- escape often uses these to pivot cluster-wide.

  5. 5

    Determine whether the escape has already occurred or is only possible: presence of escape primitive does not prove exploitation; look for execution evidence on the node.

Queries

kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].securityContext.privileged == true) | {ns:.metadata.namespace,name:.metadata.name}'
kubectl get pods -A -o json | jq '.items[] | select(.spec.volumes[]? | .hostPath?) | {ns:.metadata.namespace,name:.metadata.name,host_paths:[.spec.volumes[].hostPath.path]}'
DeviceProcessEvents | where ProcessCommandLine has_any ("nsenter","docker.sock","runc","capsh") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

Notes

Privileged=true in the pod spec is not itself an incident; confirm actual misuse with process, filesystem, and network evidence on the node before escalating.

The most consequential escape primitive in practice is a host-mounted Docker socket; treat detection of this pattern as near-certain full-node capability.

Falco, Tracee, and Tetragon provide eBPF-backed detection for common escape syscalls; if deployed, their alerts are primary evidence.

Where to Go Next

Escape confirmed; ready to isolate workload and node

Isolate affected workload

Need cluster-wide escape hunt

Analyze escape primitives cluster-wide

Related Resources

Artifacts

3
Kubernetes API Server Audit LogKubelet Node-Level LogsContainer Runtime State and Events

Common Blockers

1
Compromised Image Pulled from Untracked Registry

Suggested Acquisition

4
dd / dc3dd Raw Disk Imagedcfldd Forensic Disk Imageewfacquire E01 Disk ImageGuymager Full Disk Image