Container

A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another[1]

ID: DS0032
Platform: Containers
Collection Layer: Container
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Container: Container Creation

Initial construction of a new container (ex: docker create )

Container: Container Creation

Initial construction of a new container (ex: docker create )

Domain ID Name Detects
Enterprise T1610 Deploy Container

Monitor for newly constructed containers that may deploy a container into an environment to facilitate execution or evade defenses.

Enterprise T1611 Escape to Host

Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root.

Enterprise T1053 Scheduled Task/Job

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.007 Container Orchestration Job

Monitor for newly constructed containers

Enterprise T1204 User Execution

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

.003 Malicious Image

Track the deployment of new containers, especially from newly built images.

Container: Container Enumeration

An extracted list of containers (ex: docker ps)

Container: Container Enumeration

An extracted list of containers (ex: docker ps)

Domain ID Name Detects
Enterprise T1613 Container and Resource Discovery

Monitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

Container: Container Start

Activation or invocation of a container (ex: docker start or docker restart)

Container: Container Start

Activation or invocation of a container (ex: docker start or docker restart)

Domain ID Name Detects
Enterprise T1610 Deploy Container

Monitor for activation or invocation of a container that may deploy a container into an environment to facilitate execution or evade defenses.

Enterprise T1204 User Execution

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

.003 Malicious Image

Monitor the behavior of containers within the environment to detect anomalous behavior or malicious activity after users deploy from malicious images.

References