LoFP / some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered

Techniques

t1082

Sample rules

Container Residence Discovery Via Proc Virtual FS

source: sigma
technicques:
- t1082

Description

Detects potential container discovery via listing of certain kernel features in the “/proc” virtual filesystem

Detection logic

condition: selection_tools and 1 of selection_procfs_*
selection_procfs_kthreadd:
  CommandLine|contains: /proc/2/
selection_procfs_target:
  CommandLine|contains: /proc/
  CommandLine|endswith:
  - /cgroup
  - /sched
selection_tools:
  Image|endswith:
  - awk
  - /cat
  - grep
  - /head
  - /less
  - /more
  - /nl
  - /tail

Docker Container Discovery Via Dockerenv Listing

source: sigma
technicques:
- t1082

Description

Detects listing or file reading of “.dockerenv” which can be a sing of potential container discovery

Detection logic

condition: selection
selection:
  CommandLine|endswith: .dockerenv
  Image|endswith:
  - /cat
  - /dir
  - /find
  - /ls
  - /stat
  - /test
  - grep

Potential Container Discovery Via Inodes Listing

source: sigma
technicques:
- t1082

Description

Detects listing of the inodes of the “/” directory to determine if the we are running inside of a container.

Detection logic

condition: all of selection_*
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_ls_img:
  Image|endswith: /ls
selection_regex_dir:
  CommandLine|re: (?:\s-[^-\s]{0,20}d|\s--directory\s)
selection_regex_inode:
  CommandLine|re: (?:\s-[^-\s]{0,20}i|\s--inode\s)