Adversaries may use Docker environment listing to gather information about running containers, which can aid in lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities and mitigate early-stage threats.
Detection Rule
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
imProcessCreate
| where (TargetProcessName endswith "/cat" or TargetProcessName endswith "/dir" or TargetProcessName endswith "/find" or TargetProcessName endswith "/ls" or TargetProcessName endswith "/stat" or TargetProcessName endswith "/test" or TargetProcessName endswith "grep") and TargetProcessCommandLine endswith ".dockerenv"Scenario: System administrator performing routine Docker container inventory using docker ps or docker container ls
Filter/Exclusion: Check for command-line arguments like --format or --no-trunc that indicate administrative use, or filter by process owner (user.name = "root" or user.name = "admin").
Scenario: Scheduled job running a script to generate a Docker container list for reporting purposes (e.g., using docker ps --format "{{.ID}} {{.Image}} {{.Status}}")
Filter/Exclusion: Exclude processes with known job names or paths (e.g., /opt/scripts/container_inventory.sh), or filter by user or group responsible for the scheduled task.
Scenario: Security tool or SIEM agent scanning Docker environment for compliance or audit purposes (e.g., docker inspect or docker stats)
Filter/Exclusion: Exclude processes initiated by security tools (e.g., splunk, logstash, osquery) or filter by known compliance scanning tools.
Scenario: DevOps pipeline executing a CI/CD job that reads Docker container metadata as part of a build process (e.g., using docker inspect or docker images)
Filter/Exclusion: Exclude processes with known CI/CD tool names (e.g., jenkins, gitlab-runner, github-actions) or filter by specific job names or environment variables.
Scenario: System update or package management tool enumerating Docker containers during a system scan (e.g., systemd or apt scanning for running containers)
Filter/Exclusion: Exclude processes related to system updates or package managers (e.g., apt, yum, dnf, systemd) or filter by process name or parent process.