Container

A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another[1]

ID: DS0032
Platform: Containers
Collection Layer: Container
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 24 December 2024

Data Components

Container: Container Creation

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:

  • Docker Example: docker create my-container, docker run --name=my-container nginx:latest
  • Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx
  • Cloud Container Services Example
    • AWS ECS: Task or service creation (RunTask or CreateService).
    • Azure Container Instances: Deployment of a container group.
    • Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker daemon logging to capture create commands. Configure the Docker daemon to use a log driver such as syslog or json-file.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging:
  • Cloud Provider Logs
    • AWS CloudTrail: Enable logging for ECS RunTask or CreateService events.
    • Azure Monitor: Enable activity logging for container group creation.
    • GCP Cloud Logging: Monitor API calls such as container.projects.zones.clusters.create.
  • SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.

Container: Container Creation

"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:

  • Docker Example: docker create my-container, docker run --name=my-container nginx:latest
  • Kubernetes Example: kubectl run my-pod --image=nginx, kubectl create deployment my-deployment --image=nginx
  • Cloud Container Services Example
    • AWS ECS: Task or service creation (RunTask or CreateService).
    • Azure Container Instances: Deployment of a container group.
    • Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker daemon logging to capture create commands. Configure the Docker daemon to use a log driver such as syslog or json-file.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging:
  • Cloud Provider Logs
    • AWS CloudTrail: Enable logging for ECS RunTask or CreateService events.
    • Azure Monitor: Enable activity logging for container group creation.
    • GCP Cloud Logging: Monitor API calls such as container.projects.zones.clusters.create.
  • SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.
Domain ID Name Detects
Enterprise T1543 Create or Modify System Process

Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.

.005 Container Service

Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation.

Enterprise T1610 Deploy Container

Monitor container creation to detect suspicious or unknown images being deployed. Ensure that only authorized images are being used in the environment, especially in sensitive areas.

Analytic 1 - Creation of unexpected or unauthorized containers

sourcetype=docker:daemon OR sourcetype=kubernetes:event| search action="create"| where image NOT IN ("known_images_list")

Enterprise T1611 Escape to Host

Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.

Enterprise T1053 Scheduled Task/Job

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new container creation events with unusual parameters.

index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")

.007 Container Orchestration Job

Monitor for container creation events within Kubernetes clusters. This helps track when new containers are being deployed, especially by jobs that could have been scheduled by adversaries.

Analytic 1 - Look for new container creation events with unusual parameters.

sourcetype=kubernetes:container_creation | stats count by container_name namespace pod_name container_id image_name| where NOT [search index=container_baseline container_name=* earliest=-30d@d latest=now() | table container_name]

Enterprise T1204 User Execution

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Containers communicating with unexpected external services.

sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started")

.003 Malicious Image

Track the deployment of new containers, especially from newly built images.

Container: Container Enumeration

"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:

  • Docker Example: docker ps, docker ps -a
  • Kubernetes Example: kubectl get pods, kubectl get deployments
  • Cloud Container Services Example
    • AWS ECS: API Call: ListTasks or ListContainers
    • Azure Kubernetes Service: API Call: List pod or container instances.
    • Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services.
  • Cloud Provider Logs
    • AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks.
    • Azure Monitor: Enable activity logging to track container-related queries.
    • GCP Cloud Logging: Track API events involving container enumerations or deployments.
  • SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis.

Container: Container Enumeration

"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:

  • Docker Example: docker ps, docker ps -a
  • Kubernetes Example: kubectl get pods, kubectl get deployments
  • Cloud Container Services Example
    • AWS ECS: API Call: ListTasks or ListContainers
    • Azure Kubernetes Service: API Call: List pod or container instances.
    • Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services.
  • Cloud Provider Logs
    • AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks.
    • Azure Monitor: Enable activity logging to track container-related queries.
    • GCP Cloud Logging: Track API events involving container enumerations or deployments.
  • SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis.
Domain ID Name Detects
Enterprise T1613 Container and Resource Discovery

Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

Container: Container Start

"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:

  • Docker Example: docker start <container_name>, docker restart <container_name>
  • Kubernetes Example: Kubernetes automatically restarts containers as part of pod lifecycle management (e.g., due to health checks or configuration changes).
  • Cloud-Native Example
    • AWS ECS: API Call: StartTask to activate a stopped ECS task.
    • Azure Container Instances: Command to restart a container group instance.
    • GCP Kubernetes Engine: Automatic restarts as part of node or pod management.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker logging to capture start and restart events. Use tools like auditd to monitor terminal activity involving container lifecycle commands.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging.
  • Cloud Provider Logs
    • AWS CloudTrail: Capture StartTask or related API calls for ECS.
    • Azure Monitor: Track activity in container groups that indicate start or restart events.
    • GCP Cloud Logging: Record logs related to pod restarts or scaling events in Kubernetes Engine.
  • SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services to correlate container start events.

Container: Container Start

"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:

  • Docker Example: docker start <container_name>, docker restart <container_name>
  • Kubernetes Example: Kubernetes automatically restarts containers as part of pod lifecycle management (e.g., due to health checks or configuration changes).
  • Cloud-Native Example
    • AWS ECS: API Call: StartTask to activate a stopped ECS task.
    • Azure Container Instances: Command to restart a container group instance.
    • GCP Kubernetes Engine: Automatic restarts as part of node or pod management.

This data component can be collected through the following measures:

  • Docker Audit Logging: Enable Docker logging to capture start and restart events. Use tools like auditd to monitor terminal activity involving container lifecycle commands.
  • Kubernetes Audit Logs: Enable Kubernetes API server audit logging.
  • Cloud Provider Logs
    • AWS CloudTrail: Capture StartTask or related API calls for ECS.
    • Azure Monitor: Track activity in container groups that indicate start or restart events.
    • GCP Cloud Logging: Record logs related to pod restarts or scaling events in Kubernetes Engine.
  • SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services to correlate container start events.
Domain ID Name Detects
Enterprise T1610 Deploy Container

Monitor for the start of containers, especially those not aligned with expected images or known administrative schedules.

Analytic 1 - Unexpected container starts

sourcetype=docker:daemon OR sourcetype=kubernetes:event| search action="start"| where user NOT IN ("known_admins")

Enterprise T1204 User Execution

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

.003 Malicious Image

Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.

References