Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Sigma rule (View on GitHub)
1title: Potential Container Discovery Via Inodes Listing
2id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
3status: test
4description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
5references:
6 - https://blog.skyplabs.net/posts/container-detection/
7 - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
8tags:
9 - attack.discovery
10 - attack.t1082
11author: Seth Hanford
12date: 2023-08-23
13modified: 2025-11-24
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_ls_img:
19 Image|endswith: '/ls' # inode outside containers low, inside high
20 selection_ls_cli:
21 - CommandLine|endswith: ' /'
22 - CommandLine|contains: ' / '
23 selection_regex_inode:
24 CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
25 selection_regex_dir:
26 CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
27 condition: all of selection_*
28falsepositives:
29 - Legitimate system administrator usage of these commands
30 - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
31level: low
References
-
-
Is there any way to determine if a process (script) runs inside an lxc container (~ Docker runtime)? I know that some programs are able to detect whether they run inside a virtual machine, is somet...
Read More
Related rules
- Bitbucket User Details Export Attempt Detected
- Bitbucket User Permissions Export Attempt
- Potential Suspicious Activity Using SeCEdit
- System Disk And Volume Reconnaissance Via Wmic.EXE
- System Info Discovery via Sysinfo Syscall