AN1373: Analytic 1373

Detects disabling container runtime security controls, removing sidecar sensors, modifying seccomp/AppArmor profiles, mounting host proc/sys paths to interfere with host logging, or killing in-container monitoring agents.

EnterpriseAN1373AnalyticObject v1.1 Modified May 12, 2026, 16:30 UTC (UTC+00:00)

This analytic is about recognizing when container security and monitoring controls are being weakened or removed. For leaders, the business issue is not just a container event; it is loss of visibility and control in a runtime environment that may support critical applications. If sidecar sensors, seccomp/AppArmor profiles, host logging paths, or in-container monitoring agents can be disabled without rapid detection, incident responders may lose the evidence needed to determine scope and maintain operational confidence.

Executive priority

Prioritize this as a cloud/container resilience and assurance question: can the organization prove that runtime security controls remain enforced and that attempts to disable or bypass them are visible? Security leaders should use this analytic to validate managed detection coverage, container platform hardening, incident response evidence quality, and compliance support for monitoring and control integrity. Because ATT&CK provides no tactic mapping or relationship context for this object, prioritization should be based on local container criticality and exposure.

Technical view

For SOC, detection engineering, and IR teams, validate telemetry for container runtime control changes and sensor tampering across container platforms. The analytic scope includes disabling container runtime security controls, removing sidecar sensors, modifying seccomp or AppArmor profiles, mounting host /proc or /sys paths in ways that interfere with host logging, and killing in-container monitoring agents. Since no official detection logic is supplied, teams should build environment-specific detections around configuration drift, process termination, unexpected volume mounts, and security-profile changes, then test them against approved administrative workflows to reduce false positives.

Likely telemetry

Container runtime events and audit logs
Kubernetes or container orchestration audit events where applicable
Container specification and workload configuration changes
seccomp and AppArmor profile assignment or modification records
Sidecar container creation, removal, and restart history

Detection direction

Confirm that container runtime and orchestration audit logs are collected before relying on this analytic.
Alert on removal or unexpected absence of security sidecars or monitoring agents in workloads that should have them.
Detect changes to seccomp or AppArmor profiles, especially movement from restricted profiles to less restrictive or unconfined settings.
Monitor for container mounts of host /proc or /sys paths when not explicitly approved.
Correlate agent process termination with workload deployment changes to distinguish maintenance from tampering.

Mitigation priorities

Define and enforce baseline container security profiles for workloads using seccomp, AppArmor, or equivalent runtime controls where supported.
Restrict who can modify workload specifications, sidecars, host path mounts, and runtime security settings.
Protect monitoring and security agents with health checks, restart policies, and alerting on absence, not only on failure events.
Limit host path mounts to documented use cases and review access to sensitive host paths such as /proc and /sys.
Maintain independent audit logging so detection does not depend only on the in-container agent that could be killed.

Analyst notes and limits

This object is a detection analytic for the Containers platform, identified as AN1373, and its official description focuses on attempts to disable or interfere with container runtime security and monitoring controls. No ATT&CK tactics, related techniques, relationship context, or official detection logic were supplied, so implementation must be driven by local container architecture, logging sources, and policy baselines.

The source fields do not provide detection logic, data component mappings, tactics, related techniques, adversary procedures, or mitigation mappings. This take therefore avoids claims about active exploitation, attribution, impact, or guaranteed coverage. Local validation is required to determine whether the necessary telemetry exists and whether events represent malicious tampering or authorized administration.

Official MITRE ATT&CK definition

Analytic 1373

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:30 UTC (UTC+00:00)
Raw hash: 9e5fb58be1ef2c97...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 16:30 UTC (UTC+00:00)	Current bundle	`9e5fb58be1ef…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1373
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use