Container

A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another^[1]

ID: DS0032

ⓘ

Platform: Containers

ⓘ

Collection Layer: Container

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 10 November 2021

Version Permalink

Live Version

Data Components

Container: Container Creation

Initial construction of a new container (ex: docker create )

Container: Container Creation

Initial construction of a new container (ex: docker create )

Domain	ID		Name	Detects
Enterprise	T1543		Create or Modify System Process	Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.
		.005	Container Service	Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.
Enterprise	T1610		Deploy Container	Monitor container creation to detect suspicious or unknown images being deployed. Ensure that only authorized images are being used in the environment, especially in sensitive areas. Analytic 1 - Creation of unexpected or unauthorized containers `sourcetype=docker:daemon OR sourcetype=kubernetes:event\| search action="create"\| where image NOT IN ("known_images_list")`
Enterprise	T1611		Escape to Host	Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.
Enterprise	T1053		Scheduled Task/Job	Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new container creation events with unusual parameters. `index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"\| eval event_action=coalesce(action, status)\| where (event_action="create" OR event_action="start")\| search event_type="container"\| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")`
		.007	Container Orchestration Job	Monitor for container creation events within Kubernetes clusters. This helps track when new containers are being deployed, especially by jobs that could have been scheduled by adversaries. Analytic 1 - Look for new container creation events with unusual parameters. `sourcetype=kubernetes:container_creation \| stats count by container_name namespace pod_name container_id image_name\| where NOT [search index=container_baseline container_name=* earliest=-30d@d latest=now() \| table container_name]`
Enterprise	T1204		User Execution	Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Analytic 1 - Containers communicating with unexpected external services. `sourcetype=container_creation OR sourcetype=container_start\| stats count by container_name event_description user\| where container_name NOT IN ("") AND event_description IN ("created", "started")`
		.003	Malicious Image	Track the deployment of new containers, especially from newly built images.

Container: Container Enumeration

An extracted list of containers (ex: docker ps)

Container: Container Enumeration

An extracted list of containers (ex: docker ps)

Domain	ID		Name	Detects
Enterprise	T1613		Container and Resource Discovery	Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

Container: Container Start

Activation or invocation of a container (ex: docker start or docker restart)

Container: Container Start

Activation or invocation of a container (ex: docker start or docker restart)

Domain ID Name Detects

Enterprise

Domain	ID	Name	Detects
Enterprise	T1610	Deploy Container	Monitor for the start of containers, especially those not aligned with expected images or known administrative schedules. Analytic 1 - Unexpected container starts `sourcetype=docker:daemon OR sourcetype=kubernetes:event\| search action="start"\| where user NOT IN ("known_admins")`
Enterprise	T1204	User Execution	Monitor for the activation or invocation of a container (ex: docker start or docker restart)
		.003	Malicious Image	Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.

T1610

Deploy Container

Monitor for the start of containers, especially those not aligned with expected images or known administrative schedules.

Analytic 1 - Unexpected container starts

sourcetype=docker:daemon OR sourcetype=kubernetes:event| search action="start"| where user NOT IN ("known_admins")

Enterprise

T1204

User Execution

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

.003

Malicious Image

Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.

References

docker docs. (n.d.). Containers. Retrieved October 13, 2021.