1. Home
  2. Data Components
  3. Container Enumeration

Container Enumeration

"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:

  • Docker Example: docker ps, docker ps -a
  • Kubernetes Example: kubectl get pods, kubectl get deployments
  • Cloud Container Services Example
    • AWS ECS: API Call: ListTasks or ListContainers
    • Azure Kubernetes Service: API Call: List pod or container instances.
    • Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.
ID: DC0091
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail DescribeCluster, ListClusters, ListNodegroups
containerd:runtime e.g., containerd, Docker events
docker:daemon docker ps, docker inspect, or docker images commands

Detection Strategy

ID Name Technique Detected
DET0490 Detection Strategy for Container and Resource Discovery T1613
DET0514 Detection Strategy for Exploitation for Privilege Escalation T1068