Home/ MITRE Matrix/ Execution/ T1610

T1610Deploy Container

T1610 — Deploy Container is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 11 detection use cases covering it and 9 threat-intel articles citing it.

Execution

View on the matrix → Filter Detection Library MITRE official spec ↗

11Use cases

9Articles

0Sub-techniques

1Tactic

Use cases covering this technique (11)

[WEEKLY] Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool Internal exploit · alerting DSΣPDD [LLM] CVE-2026-48039 PoC artifact execution (meta-ads-mcp-vuln001 image, FAKE_TOKEN_FOR_POC_DEMO env) Bespoke exploit · alerting DSΣPDDCS [LLM] Enterprise Gateway service account creates Jupyter kernel pod as root (CVE-2026-44180 outcome) Bespoke exploit · alerting SPDDCW [LLM] Jupyter kernel pod created with hostPath volume by enterprise-gateway SA Bespoke actions · alerting SPDDCW [LLM] Privileged container launch — docker run --privileged from non-CI parent Bespoke exploit · alerting DSΣPDDCS [LLM] Portainer Swarm service spec with elevated Linux capabilities or unconfined Seccomp Bespoke exploit · alerting DSΣPDDCS [LLM] Docker plugin runtime spawned from /var/lib/docker/plugins/ on host (CVE-2026-44848) Bespoke install · alerting DSΣPDDCS [LLM] Docker daemon plugin install/enable event from non-admin context (CVE-2026-44848) Bespoke install · hunting SPDD [LLM] Docker / Kubernetes pull of compromised ghcr.io/elementary-data/elementary image Bespoke delivery · alerting DSΣPDDCS [LLM] Kubernetes privileged-pod DaemonSet fan-out from compromised LiteLLM workload Bespoke actions · hunting SPDD [LLM] Malicious privileged DaemonSet apply in kube-system (host-provisioner-iran / host-provisioner-std / kamikaze) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (9)

crit [GHSA / CRITICAL] CVE-2026-48039: Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token art-47

crit [GHSA / CRITICAL] CVE-2026-44180: Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass art-135

crit Containers on fire: from container escapes to supply chain attacks art-158

crit [GHSA / CRITICAL] CVE-2026-44849: Portainer has an endpoint security bypass via Swarm service create/update art-297

crit [GHSA / CRITICAL] CVE-2026-44848: Portainer missing authorization on Docker plugin endpoints, which allows host RCE art-298

high elementary-data Compromised on PyPI and GHCR: Forged Release Pushed via GitHub Actions Script Injection art-334

high You Patched LiteLLM, But Do You Know Your AI Blast Radius? art-414

crit How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM art-443

high CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran art-444