Adversaries may list inode information to gather details about container filesystems and identify potential targets for exploitation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage container compromise attempts leveraging T1082 techniques.
Detection Rule
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
category: process_creation
product: linux
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
imProcessCreate
| where TargetProcessName endswith "/ls" and (TargetProcessCommandLine endswith " /" or TargetProcessCommandLine contains " / ") and TargetProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}i|\\s--inode\\s)" and TargetProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}d|\\s--directory\\s)"Scenario: System Administrator Performing Disk Usage Analysis
Description: An admin uses the du command to analyze disk usage, which may inadvertently list inode information.
Filter/Exclusion: Exclude processes where the command line includes du or df and the user is a system admin (e.g., user.name = "root" or user.name = "admin").
Scenario: Scheduled Job for Log Rotation or Backup
Description: A scheduled job (e.g., via cron or systemd) runs a script that lists inode information as part of a backup or log rotation process.
Filter/Exclusion: Exclude processes with command lines containing tar, rsync, or logrotate, and filter by job names or cron schedules.
Scenario: Container Runtime Inspection via crictl or docker inspect
Description: A container runtime tool like crictl or docker inspect may list inode information as part of container metadata inspection.
Filter/Exclusion: Exclude processes where the command line includes crictl inspect or docker inspect, and filter by user or process name.
Scenario: Security Tool or SIEM Agent Collecting File Metadata
Description: A security tool like OSSEC or a SIEM agent may collect file metadata, including inode information, during system monitoring.
Filter/Exclusion: Exclude processes with known security tool names (e.g., ossec or splunk) and filter by user or process name.
Scenario: Development Team Using find for File Search
Description: Developers use the find command with options like -printf '%i %p\n' to search for files based on inode numbers.
Filter/Exclusion: Exclude processes where the command line includes `find