Docker Container Discovery Via Dockerenv Listing

 1title: Docker Container Discovery Via Dockerenv Listing
 2id: 11701de9-d5a5-44aa-8238-84252f131895
 3status: test
 4description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
 5references:
 6    - https://blog.skyplabs.net/posts/container-detection/
 7    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
 8tags:
 9    - attack.discovery
10    - attack.t1082
11author: Seth Hanford
12date: 2023-08-23
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith:
19            # Note: add additional tools and utilities to increase coverage
20            - '/cat'
21            - '/dir'
22            - '/find'
23            - '/ls'
24            - '/stat'
25            - '/test'
26            - 'grep'
27        CommandLine|endswith: '.dockerenv'
28    condition: selection
29falsepositives:
30    - Legitimate system administrator usage of these commands
31    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
32level: low

References

• Skyper's blog

  Personal blog about IT, Electronics, InfoSec, Hacking, Bug Hunting...

  
  Read More

• How to determine if a process runs inside lxc/Docker?

  

  Is there any way to determine if a process (script) runs inside an lxc container (~ Docker runtime)? I know that some programs are able to detect whether they run inside a virtual machine, is somet...

  
  Read More

Related rules

• Bitbucket User Details Export Attempt Detected
• Cisco Discovery
• Container Residence Discovery Via Proc Virtual FS
• HackTool - PCHunter Execution
• Network Reconnaissance Activity