T1613 IBM QRadar · QRadar

Detect Container and Resource Discovery in IBM QRadar

This detection identifies adversaries performing container and resource discovery within Docker and Kubernetes environments. Attackers who gain initial access to a container or cluster node often enumerate running containers, pods, services, nodes, namespaces, and cluster configuration to understand the environment and plan lateral movement. Common methods include executing Docker CLI commands (docker ps, docker inspect, docker images), Kubernetes CLI commands (kubectl get pods/nodes/namespaces/services), querying the Docker daemon socket or Kubernetes API server programmatically, scanning for kubelets with tools like masscan, and using offensive tools such as Peirates. Detection focuses on process execution of enumeration commands—especially from unexpected parent processes, non-administrative accounts, or container contexts—as well as anomalous API query patterns against the Kubernetes API server.

MITRE ATT&CK

Tactic
Discovery
Technique
T1613 Container and Resource Discovery
Canonical reference
https://attack.mitre.org/techniques/T1613/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS
medium severity medium confidence

IBM QRadar AQL translation of the T1613 detection. Uses SQL-like syntax with risk scoring. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover

Data Sources

Linux OSKubernetes Audit

Required Tables

events

False Positives & Tuning

  • Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
  • CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
  • Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
  • Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments
Download portable Sigma rule (.yml)

Other platforms for T1613

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Docker Container Enumeration via CLI

    Expected signal: Linux auditd execve syscall events or Sysmon EventCode=1 (ProcessCreate) showing docker binary executions with arguments: ps, images, network ls, volume ls, info, inspect. Parent process will be the invoking shell.

  2. Test 2Kubernetes Cluster Enumeration via kubectl

    Expected signal: Process creation events showing kubectl binary with arguments: get nodes, get pods, get namespaces, get services, get deployments, get serviceaccounts, cluster-info, get clusterrolebindings, auth can-i. Multiple events in rapid succession.

  3. Test 3Kubernetes Secrets Enumeration via kubectl and Direct API

    Expected signal: Process creation events for kubectl with 'get secrets' argument (risk score 90 in detection). If curl is used: process creation for curl with Kubernetes API URL pattern and bearer token in command line. In-container token file access may also appear in auditd open/read syscall logs.

Last updated: 2026-03-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1613 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1611Escape to HostT1552.007Container APIT1087.001Local AccountT1087.002Domain AccountT1069.003Cloud GroupsT1033System Owner/User DiscoveryT1046Network Service DiscoveryT1615Group Policy DiscoveryT1021.007Cloud Services

Same Tactic: Discovery

Popular Detections