Techniques
Sample rules
Container Residence Discovery Via Proc Virtual FS
- source: sigma
- technicques:
- t1082
Description
Detects potential container discovery via listing of certain kernel features in the “/proc” virtual filesystem
Detection logic
condition: selection_tools and 1 of selection_procfs_*
selection_procfs_kthreadd:
CommandLine|contains: /proc/2/
selection_procfs_target:
CommandLine|contains: /proc/
CommandLine|endswith:
- /cgroup
- /sched
selection_tools:
Image|endswith:
- awk
- /cat
- grep
- /head
- /less
- /more
- /nl
- /tail
Potential Container Discovery Via Inodes Listing
- source: sigma
- technicques:
- t1082
Description
Detects listing of the inodes of the “/” directory to determine if the we are running inside of a container.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' -*i'
- ' -*d'
CommandLine|endswith: ' /'
Image|endswith: /ls
Docker Container Discovery Via Dockerenv Listing
- source: sigma
- technicques:
- t1082
Description
Detects listing or file reading of “.dockerenv” which can be a sing of potential container discovery
Detection logic
condition: selection
selection:
CommandLine|endswith: .dockerenv
Image|endswith:
- /cat
- /dir
- /find
- /ls
- /stat
- /test
- grep