AN0889: Analytic 0889
Modification of container runtime security profiles (AppArmor, seccomp) or removal of monitoring agents within containers. Detect unauthorized mounting/unmounting of host /proc or /sys to disable logging or auditing.
Analyst context for executives and security teams
This analytic is about detecting attempts to weaken container defenses by changing runtime security profiles such as AppArmor or seccomp, removing monitoring agents inside containers, or manipulating host /proc or /sys mounts in ways that could disable logging or auditing. For leaders, the practical issue is visibility and control integrity: if container security and monitoring can be altered without alerting, incident responders may lose the evidence needed to understand scope and restore trust.
Executive priority
Prioritize this as a container security and audit-readiness control validation item. The business question is whether production container environments can prove that runtime hardening, logging, and monitoring remain intact during an incident. Security leaders should ask which container workloads are allowed to alter security profiles or mount host system paths, who can authorize those actions, and whether SOC and IR teams receive reliable evidence when those controls are changed or removed.
Technical view
For Containers, validate whether telemetry exists for changes to container runtime security profiles, especially AppArmor and seccomp, removal or tampering of monitoring agents within containers, and mounting or unmounting of host /proc or /sys paths. Because no official ATT&CK detection logic is provided and no relationships or tactics are supplied, teams should treat this as a detection engineering requirement rather than a ready-to-run analytic. Focus on policy drift, unexpected runtime configuration changes, and host-path mount activity that could affect logging or auditing.
Likely telemetry
- Container runtime events and configuration change records
- Kubernetes or container orchestration audit logs where applicable
- AppArmor and seccomp profile assignment or modification records
- Container image and runtime metadata showing enabled security profiles
- Host filesystem mount and unmount events involving /proc or /sys
Detection direction
- Confirm whether the SOC can see container runtime profile changes rather than only container start and stop events.
- Alert on unexpected AppArmor or seccomp profile modification, removal, or relaxation for containers that should be hardened.
- Monitor for host /proc or /sys mounts or unmounts from containers, with tuning for approved administrative, troubleshooting, or platform maintenance activity.
- Correlate container configuration changes with monitoring agent health loss, audit/logging gaps, or missing telemetry from the same workload.
- Baseline legitimate container workloads that require elevated host mounts to reduce false positives while preserving review of high-risk exceptions.
Mitigation priorities
- Restrict who and what can modify container runtime security profiles or mount host system paths.
- Enforce approved AppArmor and seccomp profile usage for container workloads where supported by the platform.
- Limit privileged container behavior and host path access to documented, reviewed exceptions.
- Protect monitoring agents and audit/logging components from unauthorized removal or tampering.
- Continuously validate that container security posture and telemetry remain intact after deployments, maintenance, and incident response actions.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic, AN0889, for the enterprise-attack domain and Containers platform. The supplied ATT&CK content describes the behavior to detect but does not include official detection logic, tactics, relationships, aliases, or labels. Local implementation should therefore be driven by the organization’s container runtime, orchestration layer, logging architecture, and approved operational exceptions.
The source data does not provide a detection query, specific data components, related techniques, adversary use, impact statements, or active exploitation context. Coverage cannot be assumed from this analytic alone; it must be validated against local container telemetry and control configurations.
Analytic 0889
Modification of container runtime security profiles (AppArmor, seccomp) or removal of monitoring agents within containers. Detect unauthorized mounting/unmounting of host /proc or /sys to disable logging or auditing.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 150a6c0a3883… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0889Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.