Docker Container Discovery Via Dockerenv Listing

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Sigma rule (View on GitHub)

 1title: Docker Container Discovery Via Dockerenv Listing
 2id: 11701de9-d5a5-44aa-8238-84252f131895
 3status: test
 4description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
 5references:
 6    - https://blog.skyplabs.net/posts/container-detection/
 7    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
 8tags:
 9    - attack.discovery
10    - attack.t1082
11author: Seth Hanford
12date: 2023-08-23
13logsource:
14    category: process_creation
15    product: linux
16detection:
17    selection:
18        Image|endswith:
19            # Note: add additional tools and utilities to increase coverage
20            - '/cat'
21            - '/dir'
22            - '/find'
23            - '/ls'
24            - '/stat'
25            - '/test'
26            - 'grep'
27        CommandLine|endswith: '.dockerenv'
28    condition: selection
29falsepositives:
30    - Legitimate system administrator usage of these commands
31    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
32level: low

References

Related rules

to-top