T1613 Container and Resource Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ContainerDiscoveryCommands = dynamic(["docker ps", "docker inspect", "docker images", "docker info", "docker stats", "docker network ls", "docker volume ls", "docker container ls"]);
let KubeDiscoveryPatterns = dynamic(["get pods", "get nodes", "get namespaces", "get services", "get deployments", "get secrets", "get configmaps", "describe pod", "describe node", "cluster-info", "get all", "get sa", "get serviceaccount"]);
let CrictlCommands = dynamic(["crictl ps", "crictl pods", "crictl images", "crictl info"]);
let SuspiciousParents = dynamic(["bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat", "socat"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    // Docker enumeration commands
    (ProcessCommandLine has "docker" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "inspect" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info" or
        ProcessCommandLine has "stats" or
        ProcessCommandLine has "network ls" or
        ProcessCommandLine has "volume ls" or
        ProcessCommandLine has "container ls"
    ))
    or
    // kubectl enumeration
    (FileName =~ "kubectl" and (
        ProcessCommandLine has "get pods" or
        ProcessCommandLine has "get nodes" or
        ProcessCommandLine has "get namespaces" or
        ProcessCommandLine has "get services" or
        ProcessCommandLine has "get deployments" or
        ProcessCommandLine has "get secrets" or
        ProcessCommandLine has "get configmaps" or
        ProcessCommandLine has "get all" or
        ProcessCommandLine has "cluster-info" or
        ProcessCommandLine has "describe" or
        ProcessCommandLine has "get sa" or
        ProcessCommandLine has "get serviceaccount"
    ))
    or
    // crictl (containerd CLI) enumeration
    (FileName =~ "crictl" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "pods" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info"
    ))
    or
    // ctr (containerd) enumeration
    (FileName =~ "ctr" and (
        ProcessCommandLine has "containers list" or
        ProcessCommandLine has "images list" or
        ProcessCommandLine has "tasks list"
    ))
    or
    // Peirates and similar offensive tools
    (FileName =~ "peirates")
    or
    // curl/wget against Docker socket or Kubernetes API
    ((FileName in~ ("curl", "wget")) and (
        ProcessCommandLine has "/var/run/docker.sock" or
        ProcessCommandLine has ":8080/api" or
        ProcessCommandLine has ":6443/api" or
        ProcessCommandLine has ":10250" or
        ProcessCommandLine has "/api/v1/pods" or
        ProcessCommandLine has "/api/v1/nodes" or
        ProcessCommandLine has "/api/v1/namespaces"
    ))
)
| extend RiskScore = case(
    InitiatingProcessFileName in~ (SuspiciousParents), 80,
    AccountName !in~ ("root", "system") and FileName =~ "kubectl", 60,
    ProcessCommandLine has "get secrets", 90,
    ProcessCommandLine has "/var/run/docker.sock", 85,
    ProcessCommandLine has ":10250", 80,
    40
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore
| where RiskScore >= 40
| order by RiskScore desc, TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval is_container_discovery=0
| eval cmd=coalesce(CommandLine, command, cmd_line, "")
| eval process=coalesce(Image, process_name, comm, "")
| eval parent_process=coalesce(ParentImage, parent_process_name, "")
```Docker enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)docker$") AND match(cmd, "(?i)(\\bps\\b|inspect|images|info|stats|network ls|volume ls|container ls)")),
    1, is_container_discovery)
```kubectl enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)kubectl$") AND match(cmd, "(?i)(get (pods|nodes|namespaces|services|deployments|secrets|configmaps|all|sa)|cluster-info|describe)")),
    1, is_container_discovery)
```crictl/ctr enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)(crictl|ctr)$") AND match(cmd, "(?i)(ps|pods|images|info|containers list|tasks list)")),
    1, is_container_discovery)
```Peirates offensive tool```
| eval is_container_discovery=if(match(process, "(?i)peirates"), 1, is_container_discovery)
```curl/wget against Docker socket or Kubernetes API```
| eval is_container_discovery=if(
    (match(process, "(?i)(curl|wget)$") AND match(cmd, "(?i)(\/var\/run\/docker\.sock|:8080\/api|:6443\/api|:10250|\/api\/v1\/(pods|nodes|namespaces))")),
    1, is_container_discovery)
| where is_container_discovery=1
| eval risk_score=case(
    match(cmd, "(?i)get secrets"), 90,
    match(cmd, "(?i)\/var\/run\/docker\.sock"), 85,
    match(cmd, "(?i):10250"), 80,
    match(parent_process, "(?i)(bash|sh|dash|zsh|python3?|perl|ruby|nc|ncat|socat)"), 80,
    match(process, "(?i)peirates"), 95,
    1==1, 40
)
| eval severity=case(risk_score >= 85, "critical", risk_score >= 70, "high", risk_score >= 50, "medium", 1==1, "low")
| stats count as execution_count, values(cmd) as commands, values(parent_process) as parent_processes, max(risk_score) as max_risk_score, min(_time) as first_seen, max(_time) as last_seen by host, user, process, severity
| where execution_count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - max_risk_score
| table host, user, process, commands, parent_processes, execution_count, max_risk_score, severity, first_seen, last_seen

medium severity medium confidence

Data Sources

Sysmon Linux Auditd Linux Secure Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure syslog auditd

False Positives

Platform engineering teams performing routine cluster health checks via kubectl get nodes/pods as part of on-call runbooks
Monitoring and observability platforms (Prometheus, Datadog, New Relic) continuously querying Kubernetes API and kubelet endpoints for metrics and service discovery
Container orchestration automation scripts in CI/CD systems that enumerate running containers to determine deployment state before rolling updates
Security baseline tools (kube-bench, kube-hunter in assessment mode) that enumerate cluster resources as part of authorized security posture reviews

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

medium severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

medium severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

medium severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

medium severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Container and Resource Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections