A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another[1]
"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:
docker create my-container
, docker run --name=my-container nginx:latest
kubectl run my-pod --image=nginx
, kubectl create deployment my-deployment --image=nginx
RunTask
or CreateService
).This data component can be collected through the following measures:
create
commands. Configure the Docker daemon to use a log driver such as syslog
or json-file
.RunTask
or CreateService
events.container.projects.zones.clusters.create
."Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:
docker create my-container
, docker run --name=my-container nginx:latest
kubectl run my-pod --image=nginx
, kubectl create deployment my-deployment --image=nginx
RunTask
or CreateService
).This data component can be collected through the following measures:
create
commands. Configure the Docker daemon to use a log driver such as syslog
or json-file
.RunTask
or CreateService
events.container.projects.zones.clusters.create
.Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1543 | Create or Modify System Process |
Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation. |
|
.005 | Container Service |
Monitor for newly constructed containers that repeatedly execute malicious payloads as part of persistence or privilege escalation. |
||
Enterprise | T1610 | Deploy Container |
Monitor container creation to detect suspicious or unknown images being deployed. Ensure that only authorized images are being used in the environment, especially in sensitive areas. Analytic 1 - Creation of unexpected or unauthorized containers
|
|
Enterprise | T1611 | Escape to Host |
Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root. |
|
Enterprise | T1053 | Scheduled Task/Job |
Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new container creation events with unusual parameters.
|
|
.007 | Container Orchestration Job |
Monitor for container creation events within Kubernetes clusters. This helps track when new containers are being deployed, especially by jobs that could have been scheduled by adversaries. Analytic 1 - Look for new container creation events with unusual parameters.
|
||
Enterprise | T1204 | User Execution |
Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Analytic 1 - Containers communicating with unexpected external services.
|
|
.003 | Malicious Image |
Track the deployment of new containers, especially from newly built images. |
"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:
docker ps
, docker ps -a
kubectl get pods
, kubectl get deployments
This data component can be collected through the following measures:
"Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:
docker ps
, docker ps -a
kubectl get pods
, kubectl get deployments
This data component can be collected through the following measures:
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1613 | Container and Resource Discovery |
Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. |
"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:
docker start <container_name>
, docker restart <container_name>
This data component can be collected through the following measures:
"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:
docker start <container_name>
, docker restart <container_name>
This data component can be collected through the following measures:
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1610 | Deploy Container |
Monitor for the start of containers, especially those not aligned with expected images or known administrative schedules. Analytic 1 - Unexpected container starts
|
|
Enterprise | T1204 | User Execution |
Monitor for the activation or invocation of a container (ex: docker start or docker restart) |
|
.003 | Malicious Image |
Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images. |