Techniques
Sample rules
Container Residence Discovery Via Proc Virtual FS
- source: sigma
- technicques:
- t1082
Description
Detects potential container discovery via listing of certain kernel features in the “/proc” virtual filesystem
Detection logic
condition: selection_tools and 1 of selection_procfs_*
selection_procfs_kthreadd:
CommandLine|contains: /proc/2/
selection_procfs_target:
CommandLine|contains: /proc/
CommandLine|endswith:
- /cgroup
- /sched
selection_tools:
Image|endswith:
- awk
- /cat
- grep
- /head
- /less
- /more
- /nl
- /tail
Docker Container Discovery Via Dockerenv Listing
- source: sigma
- technicques:
- t1082
Description
Detects listing or file reading of “.dockerenv” which can be a sing of potential container discovery
Detection logic
condition: selection
selection:
CommandLine|endswith: .dockerenv
Image|endswith:
- /cat
- /dir
- /find
- /ls
- /stat
- /test
- grep
Potential Container Discovery Via Inodes Listing
- source: sigma
- technicques:
- t1082
Description
Detects listing of the inodes of the “/” directory to determine if the we are running inside of a container.
Detection logic
condition: all of selection_*
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_ls_img:
Image|endswith: /ls
selection_regex_dir:
CommandLine|re: (?:\s-[^-\s]{0,20}d|\s--directory\s)
selection_regex_inode:
CommandLine|re: (?:\s-[^-\s]{0,20}i|\s--inode\s)