Adversaries may use container residence discovery via proc virtual filesystem to identify and target running containers within the host environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential container-based attacks that leverage kernel-level insights for persistence or lateral movement.
Detection Rule
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
imProcessCreate
| where (TargetProcessName endswith "awk" or TargetProcessName endswith "/cat" or TargetProcessName endswith "grep" or TargetProcessName endswith "/head" or TargetProcessName endswith "/less" or TargetProcessName endswith "/more" or TargetProcessName endswith "/nl" or TargetProcessName endswith "/tail") and (TargetProcessCommandLine contains "/proc/2/" or (TargetProcessCommandLine contains "/proc/" and (TargetProcessCommandLine endswith "/cgroup" or TargetProcessCommandLine endswith "/sched")))Scenario: System Administrator Performing Routine Kernel Module Inspection
Description: An admin uses modprobe or lsmod to inspect kernel modules as part of routine system maintenance.
Filter/Exclusion: Exclude processes where the command line includes modprobe or lsmod and the user is a system admin (e.g., UID 0 or in the sudo group).
Scenario: Scheduled Job for Container Health Check
Description: A cron job runs a script that checks container status using docker ps or crictl to ensure containers are running.
Filter/Exclusion: Exclude processes with command lines containing docker ps, crictl, or kubectl and where the process is initiated by a scheduled job (e.g., via cron or systemd-timedate).
Scenario: Development Team Using Docker for Local Testing
Description: Developers use Docker CLI to build and run containers locally, which may trigger the rule when listing kernel features.
Filter/Exclusion: Exclude processes where the command line includes docker or docker-compose and the user is part of the docker group or has elevated privileges.
Scenario: Security Tool Scanning for Kernel Vulnerabilities
Description: A security tool like ClamAV or OpenSCAP scans the system for kernel vulnerabilities, which may involve inspecting kernel modules.
Filter/Exclusion: Exclude processes where the command line includes clamscan, openscap, or similar tools, and the process is initiated by a security scanning service.
Scenario: Container Runtime Debugging with strace
Description: A sysadmin uses strace to debug container runtime behavior, which may involve inspecting kernel features.
Filter/Exclusion: Exclude processes where the