detection.wiki

Container and Resource Discovery T1613

Tactic: Discovery

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

Events covered

1 catalog event is tagged with this technique by at least one rule.

ProviderEventTitle
ESFexecProcess Execution (Notify)

Authoring guide

Patterns shared across the 43 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (50 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType31eq 21, in 10exec, exec_event, ProcessRollup2, open, executed
event.type28eq 28start, change
host.os.type28eq 26, in 2
process_name23in 15, eq 9, starts_with 2, wildcard 2bash, busybox, csh, curl, .
process.args22in 15, contains 7, wildcard 5, eq 4, starts_with 1/bin/awk, /bin/cat, /bin/curl, /bin/head, /bin/kubectl
container.id16wildcard 12, starts_with 4*, ?
process.interactive16eq 16true
data_stream.dataset7eq 7kubernetes.audit_logs
kubernetes.audit.stage6in 4, eq 2ResponseComplete, ResponseStarted
event.category5eq 5, in 1file, process, network
kubernetes.audit.objectRef.resource5eq 3, in 3clusterrolebindings, clusterroles, configmaps, nodes, secrets
Image4starts_with 2, wildcard 2, is_not_null 1/busybox/, /dev/shm/, ./kubectl, /*/.*, /dev/shm/*
TargetFilename4in 2, starts_with 2/run/secrets/kubernetes.io/serviceaccount/namespace, /var/lib/kubelet/pki/, /var/lib/kubelet/pods/, /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, /var/run/secrets/kubernetes.io/serviceaccount/namespace
responseStatus.code4eq 2, ge 1, in 1, le 1403, 1, 16, 400, 7
aws::userAgent3is_not_null 3

Top indicator values (592 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
27606
event.typeeq
change
477
EventTypeeq
exec
18171
EventTypeeq
open
415
process.interactiveeq
true
1642
container.idwildcard
*
1225
EventTypein
exec
8171
EventTypein
executed
788
EventTypein
exec_event
6139
EventTypein
ProcessRollup2
5117
EventTypein
process_started
574
EventTypein
start
4134
process_namein
bash
888
process_namein
busybox
836
process_namein
csh
871
process_namein
dash
878
process_namein
fish
872
process_namein
ksh
873
process_namein
sh
883
process_namein
tcsh
869
process_namein
zsh
882
process_namein
curl
427
process_namein
kubectl
45
process_namein
ncat
415
data_stream.dataseteq
kubernetes.audit_logs
736
container.idstarts_with
?
422
kubernetes.audit.stagein
ResponseComplete
45
kubernetes.audit.stagein
ResponseStarted
45
process.argsin
kubectl
44
process.argsin
wget
47

Exclusions (148 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
aws::userAgentends_with
kubernetes/$Format
3
CurrentDirectoryeq
/aws
2
CurrentDirectoryeq
/opt/cni/bin
1
ParentCommandLineeq
runc init
2
ParentImagein
/sbin/init
2
ParentImagein
/usr/bin/containerd-shim-runc-v2
2
ParentImagein
/usr/bin/dockerd
2
ParentImagein
/usr/bin/runc
2
parent_process_nameeq
busybox
2
process_nameeq
kubectl
2
CommandLinecontains
/bin/test
1
CommandLineeq
/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat...
1
CurrentDirectorystarts_with
/home/runner/_work/
1
CurrentDirectorywildcard
/opt/cni/bin
1
CurrentDirectorywildcard
/run/containerd/io.containerd.runtime.v2.task/k8s.io/*/opt/cni/bin
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 1 rule

Elastic 39 rules

Panther 3 rules