Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Sigma rule (View on GitHub)
1title: Container Residence Discovery Via Proc Virtual FS
2id: 746c86fb-ccda-4816-8997-01386263acc4
3status: test
4description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
5references:
6 - https://blog.skyplabs.net/posts/container-detection/
7 - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
8tags:
9 - attack.discovery
10 - attack.t1082
11author: Seth Hanford
12date: 2023-08-23
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_tools:
18 Image|endswith:
19 - 'awk'
20 - '/cat'
21 - 'grep'
22 - '/head'
23 - '/less'
24 - '/more'
25 - '/nl'
26 - '/tail'
27 selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
28 CommandLine|contains: '/proc/2/'
29 selection_procfs_target:
30 CommandLine|contains: '/proc/'
31 CommandLine|endswith:
32 - '/cgroup' # cgroups end in ':/' outside containers
33 - '/sched' # PID mismatch when run in containers
34 condition: selection_tools and 1 of selection_procfs_*
35falsepositives:
36 - Legitimate system administrator usage of these commands
37 - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
38level: low
References
Related rules
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Docker Container Discovery Via Dockerenv Listing
- Network Reconnaissance Activity
- OS Architecture Discovery Via Grep