Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Sigma rule (View on GitHub)
1title: Docker Container Discovery Via Dockerenv Listing
2id: 11701de9-d5a5-44aa-8238-84252f131895
3status: experimental
4description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
5references:
6 - https://blog.skyplabs.net/posts/container-detection/
7 - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
8tags:
9 - attack.discovery
10 - attack.t1082
11author: Seth Hanford
12date: 2023/08/23
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|endswith:
19 # Note: add additional tools and utilities to increase coverage
20 - '/cat'
21 - '/dir'
22 - '/find'
23 - '/ls'
24 - '/stat'
25 - '/test'
26 - 'grep'
27 CommandLine|endswith: '.dockerenv'
28 condition: selection
29falsepositives:
30 - Legitimate system administrator usage of these commands
31 - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
32level: low
References
Related rules
- Container Residence Discovery Via Proc Virtual FS
- Potential Container Discovery Via Inodes Listing
- OS Architecture Discovery Via Grep
- Potential GobRAT File Discovery Via Grep
- Potential System Information Discovery Via Wmic.EXE